As currently stated, FIA_X509_EXT.1.10 only provides the option for the administrator to allow or disallow the establishment of an SA if the TSF cannot establish a connection to determine the validity of a certificate. In newer PPs, this requirement contains a selection that includes the option to always disallow the establishment of an SA.

Resolution

Change FIA_X509_EXT.1.10 to read:

FIA_X509_EXT.1.10 When the TSF cannot establish a connection to determine the validity of a certificate, the TSF shall [selection: allow the administrator to choose whether to accept the certificate in these cases, not accept the certificate].

Change the Application Note to read:

The intent of FIA_X509_EXT.1.10 is that the TOE is either configurable by an administrator to allow or disallow session establishment if the TOE cannot connect to an entity responsible for providing certificate validation information, or that the certificate is automatically rejected (and thus the connection is disallowed). For instance, if the first selection is chosen, if a CRL cannot be obtained because a machine is down, or the network path is broken, the administrator may elect to configure the TOE to allow sessions to continue to be established, rather than terminate the TOE’s ability to establish any new SAs because it cannot reach the CA. If the second selection is chosen in the above scenario, the certificate would be rejected and no new SAs would be able to be established.

Justification

Adding the option to always not accept the certificate is consistent with wording in other PPs and meets the intent of the FIA_X509_EXT.1.10 requirement.